Mercurial > repos > other > Puppet
comparison modules/website/manifests/https.pp @ 136:765e72629b3e puppet-3.6
Fix "direct under CA" custom conditions and sites that use "cert named after domain" pattern
The 'undef' value coerces to empty string, so "$var == undef" becomes
"$var == ''", which broke our logic. Puppet 3 doesn't have a prettier solution
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Fri, 11 Nov 2016 21:04:13 +0000 |
| parents | 9337c9ce648a |
| children | 060f81349dd6 |
comparison
equal
deleted
inserted
replaced
| 135:b3f6c7a910d0 | 136:765e72629b3e |
|---|---|
| 67 $siteroot = "${website::basedir}/${shortname}" | 67 $siteroot = "${website::basedir}/${shortname}" |
| 68 } else { | 68 } else { |
| 69 $siteroot = $docroot | 69 $siteroot = $docroot |
| 70 } | 70 } |
| 71 | 71 |
| 72 if $ssl_cert == undef { | 72 # These conditionals use an ugly cludge from |
| 73 # http://grokbase.com/t/gg/puppet-users/147by1key3/checking-a-variable-is-not-undef#20140713grem6zqsai7qjbgkmd2f4ia3qi | |
| 74 # because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case | |
| 75 # It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html), | |
| 76 # but that threw syntax errors. | |
| 77 if $ssl_cert == undef and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { | |
| 73 $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" | 78 $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" |
| 74 $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" | 79 $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" |
| 80 } elsif $ssl_cert == undef { | |
| 81 $sslcert = "${website::certdir}/${shortdomain}.crt" | |
| 82 $sslkey = "${website::certdir}/${shortdomain}.key" | |
| 83 File { | |
| 84 mode => '0400', | |
| 85 owner => 'root', | |
| 86 group => 'root', | |
| 87 } | |
| 88 file { $sslcert: | |
| 89 source => "puppet:///private/pki/custom/${shortdomain}.crt", | |
| 90 before => Apache::Vhost[$name], | |
| 91 notify => Service['httpd'], | |
| 92 ensure => present; | |
| 93 } | |
| 94 file { $sslkey: | |
| 95 source => "puppet:///private/pki/custom/${shortdomain}.key", | |
| 96 before => Apache::Vhost[$name], | |
| 97 notify => Service['httpd'], | |
| 98 ensure => present; | |
| 99 } | |
| 75 } else { | 100 } else { |
| 76 $sslcert = $ssl_cert | 101 $sslcert = $ssl_cert |
| 77 $sslkey = $ssl_key | 102 $sslkey = $ssl_key |
| 78 } | 103 } |
| 79 | 104 |
| 80 if $ssl_ca_chain == undef { | 105 if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { |
| 81 $ssl_chain = $website::ca_chain | 106 $ssl_chain = $website::ca_chain |
| 82 } | 107 } |
| 83 elsif $ssl_ca_chain == '' { | 108 elsif $ssl_ca_chain == '' { |
| 84 # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert | 109 # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert |
| 85 $ssl_chain = undef | 110 $ssl_chain = undef |